]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/services/mail/postfix.nix
Add given password for hosts/carotte/nebula/carotte.key to store.
[sourcephile-nix.git] / nixos / modules / services / mail / postfix.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (lib) types;
4 inherit (config.services) postfix;
5 in
6 {
7 options = {
8 services.postfix = {
9 tls_server_sni_maps = lib.mkOption {
10 type = types.attrsOf (types.listOf types.path);
11 default = { };
12 apply = m: pkgs.writeText "sni" (lib.concatStringsSep "\n" (lib.mapAttrsToList
13 (domain: x509: ''
14 ${domain} ${lib.concatStringsSep " " x509}
15 '')
16 m));
17 };
18 };
19 };
20 config = {
21 systemd.services.postfix = {
22 preStart = ''
23 install -m 400 -o root -g root ${postfix.tls_server_sni_maps} /run/postfix/postfix-sni
24 ${pkgs.postfix}/bin/postmap -F hash:/run/postfix/postfix-sni
25 '';
26 serviceConfig = {
27 RuntimeDirectory = [ "postfix" ];
28 };
29 };
30 services.postfix = {
31 masterConfig = {
32 submissions-header-cleanup = {
33 type = "unix";
34 private = false;
35 maxproc = 0;
36 command = "cleanup";
37 args = [
38 "-o"
39 ("header_checks=pcre:" + pkgs.writeText "submission_header_cleanup_rules" ''
40 # Removes sensitive headers from mails handed in via the submission or smtps port.
41 # See https://thomas-leister.de/mailserver-debian-stretch/
42 # Uses "pcre" style regex.
43
44 /^Received:/ IGNORE
45 /^User-Agent:/ IGNORE
46 /^X-Enigmail:/ IGNORE
47 /^X-Mailer:/ IGNORE
48 /^X-Originating-IP:/ IGNORE
49 '')
50 ];
51 };
52 };
53 };
54 };
55 }